User Added To Admin Group Via Sysadminctl

 1title: User Added To Admin Group Via Sysadminctl
 2id: 652c098d-dc11-4ba6-8566-c20e89042f2b
 3related:
 4    - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
 5      type: obsolete
 6status: test
 7description: Detects attempts to create and add an account to the admin group via "sysadminctl"
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
10    - https://ss64.com/osx/sysadminctl.html
11author: Sohan G (D4rkCiph3r)
12date: 2023-03-19
13tags:
14    - attack.persistence
15    - attack.defense-evasion
16    - attack.initial-access
17    - attack.privilege-escalation
18    - attack.t1078.003
19logsource:
20    category: process_creation
21    product: macos
22detection:
23    selection:
24        # Creates and adds new user to admin group
25        Image|endswith: '/sysadminctl'
26        CommandLine|contains|all:
27            - ' -addUser '
28            - ' -admin '
29    condition: selection
30falsepositives:
31    - Legitimate administration activities
32level: medium

References

• atomic-red-team/atomics/T1078.003/T1078.003.md at master · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• sysadminctl Man Page - macOS - SS64.com

  sysadminctl Administer system user accounts. sysadminctl can be used to change user passwords, create new users (including automatically provisioning the user home folder) or to check the status of...

  
  Read More

Related rules

• Admin User Remote Logon
• Root Account Enable Via Dsenableroot
• User Added To Admin Group Via Dscl
• User Added To Admin Group Via DseditGroup
• AWS IAM S3Browser LoginProfile Creation